DEBIAN-CVE-2025-12801

See a problem?
Please try reporting it to the source first.

Source

https://security-tracker.debian.org/tracker/CVE-2025-12801

Import Source

https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2025-12801.json

JSON Data

https://api.osv.dev/v1/vulns/DEBIAN-CVE-2025-12801

Upstream

CVE-2025-12801

Published

2026-03-04T16:16:23.900Z

Modified

2026-03-19T04:00:10.038805Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

[none]

Details

A vulnerability was recently discovered in the rpc.mountd daemon in the nfs-utils package for Linux, that allows a NFSv3 client to escalate the privileges assigned to it in the /etc/exports file at mount time. In particular, it allows the client to access any subdirectory or subtree of an exported directory, regardless of the set file permissions, and regardless of any 'rootsquash' or 'allsquash' attributes that would normally be expected to apply to that client.

References

https://security-tracker.debian.org/tracker/CVE-2025-12801

Affected packages

Debian:11 / nfs-utils

Package

Name: nfs-utils
Purl: pkg:deb/debian/nfs-utils?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1:1.*

1:1.3.4-6

1:1.3.4-6+deb11u1

1:2.*

1:2.5.4-1~exp1

1:2.5.4-1~exp2

1:2.5.4-1~exp3

1:2.5.4-1~exp4

1:2.5.4-1~exp5

1:2.6.1-1~exp1

1:2.6.1-1

1:2.6.1-2

1:2.6.2-1~exp1

1:2.6.2-1

1:2.6.2-2

1:2.6.2-3

1:2.6.2-4

1:2.6.3-1~exp1

1:2.6.3-1

1:2.6.3-2

1:2.6.3-3

1:2.6.3-4~exp1

1:2.6.4-1~exp1

1:2.6.4-1

1:2.6.4-2

1:2.6.4-3

1:2.6.4-4

1:2.6.4-5

1:2.6.4-6

1:2.7.1-1~exp1

1:2.7.1-1

1:2.7.1-2

1:2.7.1-3

1:2.8.1-1~exp1

1:2.8.1-1

1:2.8.1-2

1:2.8.2-1

1:2.8.2-2~exp1

1:2.8.2-2

1:2.8.2-3

1:2.8.3-1~exp1

1:2.8.3-1

1:2.8.4-1

1:2.8.4-2

1:2.8.5-1

1:2.8.6-1

1:2.8.7-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2025-12801.json"

Debian:12 / nfs-utils

Package

Name: nfs-utils
Purl: pkg:deb/debian/nfs-utils?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1:2.*

1:2.6.2-4

1:2.6.2-4+deb12u1

1:2.6.3-1~exp1

1:2.6.3-1

1:2.6.3-2

1:2.6.3-3

1:2.6.3-4~exp1

1:2.6.4-1~exp1

1:2.6.4-1

1:2.6.4-2

1:2.6.4-3

1:2.6.4-4

1:2.6.4-5

1:2.6.4-6

1:2.7.1-1~exp1

1:2.7.1-1

1:2.7.1-2

1:2.7.1-3

1:2.8.1-1~exp1

1:2.8.1-1

1:2.8.1-2

1:2.8.2-1

1:2.8.2-2~exp1

1:2.8.2-2

1:2.8.2-3

1:2.8.3-1~exp1

1:2.8.3-1

1:2.8.4-1

1:2.8.4-2

1:2.8.5-1

1:2.8.6-1

1:2.8.7-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2025-12801.json"

Debian:13 / nfs-utils

Package

Name: nfs-utils
Purl: pkg:deb/debian/nfs-utils?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1:2.*

1:2.8.3-1

1:2.8.4-1

1:2.8.4-2

1:2.8.5-1

1:2.8.6-1

1:2.8.7-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2025-12801.json"

Debian:14 / nfs-utils

Package

Name: nfs-utils
Purl: pkg:deb/debian/nfs-utils?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1:2.8.6-1

Affected versions

1:2.*

1:2.8.3-1

1:2.8.4-1

1:2.8.4-2

1:2.8.5-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2025-12801.json"